McAfee Labs Blog

Today we unveiled our Q4 Threats Report, which highlights the most significant spam-generating stories in 2009 as well as the rise of political hacktivism in countries like Poland, Latvia, Denmark and Switzerland. The report’s findings also reveal that 2009 averaged approximately 135.5 billion spam messages per day, yet spam volume decreased by 24 percent in Q4 compared to Q3.

Spammers utilized headlines heavily in 2009, taking advantage of breaking news stories, global tragedies and timely events. The Air France plane crash and Michael Jackson’s death were among the top tragedies exploited by spammers last year. McAfee researchers also noted a significant number of 2010 FIFA World Cup-themed phishing scams, Zeus Trojans masked as the CDC, referencing the H1N1 vaccine program, and “get-rich-quick” scams due to the rise of U.S. unemployment levels.

Politically-motivated attacks are on the rise around the world, targeting popular social networking destinations, as seen recently with the Iranian Cyber Army’s political attack aimed at Twitter. The report confirms that the United States is not the sole target, nor is China the sole origin for these types of attacks with recent political attacks targeting the Polish government, the Copenhagen Climate Conference and Latvia’s Independence Day.
Malware including fake security software, attacks on social networks, and Auto-Run USB infections, continued to rise significantly last year. Internet-based, Web 2.0-centric attacks and threats on portable storage devices played a huge role in 2009, contributing greatly to the sheer increase in threats and demonstrating how the nature of computer threats are evolving over time. Cybercriminals used social networking sites to target a new generation of victims, with Koobface activity increasing considerably during the latter part of 2009. Koobface is now hosted by servers in 46 different countries, with the U.S., Germany and Denmark making up the top three hosting locations.

China Overtakes the U.S. as No. 1 Country Producing Zombies

Zombie production in the U.S. dropped significantly from 13.1 percent in Q3 to 9.5 percent in Q4, making China the top of Zombie-producing country at 12 percent. Brazil ranked third, with Russia and Germany rounding out the top five countries. The U.S. still remains the number one country in terms of spam production, with Brazil and India taking the number two and three spots. Ukraine and Germany joined the list of top 10 countries producing spam for the first time in 2009.

The Geographic Distribution of Web Threats

North America is the worldwide leader in hosting malicious content, with EMEA in second, followed by Asia/Pacific. In Europe, Germany holds the number one spot, followed by the Netherlands and Italy. China is the chief host for malicious content in Asia, followed by Russia and South Korea. South America is beginning to play a larger role, with Brazil as the top hosting country in that region.

China is the Worldwide Leader in SQL Injection Attacks

Although SQL-injection attacks originate from a number of countries across the globe, China was by far the number one country hosting these assaults at 54.4 percent. Due to the growing popularity of Adobe applications, McAfee Labs saw a number of client-targeted attack attempts to exploit Flash and Acrobat reader.

A full copy of the Q4 2009 Threats Report is available here.

As a rule, we don’t do product plugs on this blog for obvious reasons. This is the place for research and data on threat and response. But we’re going to make an exception to bring you a video from Dave Marcus, the guy who keeps the McAfee Labs blog running, and runs a couple dozen other things besides.

The charts. The glasses. The necklace. The patent wall. The hair! (Sorry ladies, he’s taken.)

Now we return to your regularly scheduled data feed. That is all.

This guest post was written by Benjamin Edelman, Assistant Professor at Harvard Business School and an advisor to McAfee.

Last week I revealed troubling transmissions by the Google Toolbar: Even when a user specifically “disable[s]” the Google Toolbar, and even when the Toolbar disappears from view, the Toolbar continues tracking users online behavior—including specific web pages visited and specific searches run on other search engines. To Google’s credit, after I posted my article Google promptly fixed these nonconsensual transmissions—but big questions remain. How did this bug slip through Google’s internal testing? What happens to the data Google collected without user consent? And why was Google collecting this data in the first place?

Rethinking Disclosure
I’ve recently begun talking to all the Google Toolbar users I can find. Checking their PCs, I see that they usually have Google’s “Enhanced Features” turned on—meaning Google is tracking their every page view and every search. But they usually don’t know about that tracking. Why not? They were told—but not in a way they understood or remembered.

For one, Google discloses its tracking in a “bubble” pop-up that appears immediately after Toolbar installation. By all indications, the installation is complete, and users just want to get back to work—not answer more questions or make more decisions. This suggests a first principle: Seek consent when users are inclined to make an informed decision. This should be an integral part of an installation, not an afterthought.

Beyond the timing of disclosure, the substance of disclosure is also crucial. Google’s current installation says Enhanced Features will “tell us [Google] what site you’re visiting by sending Google the URL.” What exactly does that mean? Will Google track “sites” (such as “nytimes.com” for the New York Times) or “URLs” (referencing specific articles and searches)? Remarkably, Google’s disclosure is internally inconsistent: Google uses the terms sites and URLs interchangeably, when in fact the concepts are quite different. Certainly that’s improper. Disclosures should be clear, precise, and entirely accurate.

Communications professionals have expertise to offer. To make a disclosure clear, it should appear in a dedicated screen with a title, layout, and format that emphasize what’s important. Headings, topic sentences, and sentence structure can help users understand. How does Google stack up on these fronts? Unfortunately, Google seeks permission for Enhanced Features in a screen entitled “Introducing Sidewiki”—a marketing pitch for a new feature, hardly alerting users to the serious privacy matters that follow. Better alternatives would be “Important Privacy Decision” or “Set Your Privacy Preferences”—identifying the crux of the question and introducing the material that follows. This crucial screen should seek to inform, not to persuade. Most of all, it should be designed by policy professionals and communication professionals—not marketers.

A user seeking more information should be able to review a further document with appropriate details. Here, too, accuracy and precision are crucial, and Google’s current approach falls crucially short. Google’s statement makes no mention of these Toolbar transmissions until Page Five. Even there, Google’s text contradicts itself, both explicitly and through unavoidable interpretation of Google’s statements and omissions (details). Equally striking is Google’s defective formatting: Google loads its privacy notice in a browser window with no menu or toolbar—hence no ability for users to copy, search, save, or print these important materials. These design decisions are ill advised. Disclosures should be user friendly and should encourage users to take the time to understand them.

For these sensitive transmissions, which continue every time a user runs a web browser, disclosure need not occur just once. When a program has such important privacy consequences, it should remind users of its effects from time to time, employing an alert or message to make sure users are still onboard. A periodic reminder—perhaps once per quarter, or whenever Google Toolbar auto-upgrades to a new version—would help users remember what’s installed.

Improving the Substance of Privacy Protection
Good privacy means more than disclosure. Through sensible adjustment of data collection and retention practices, software developers can dramatically reduce the privacy implications of their services.

For one, companies should reexamine what data they collect in the first place. Do many users actually want the features purportedly justifying detailed tracking? When it comes to Google Toolbar, I have my doubts: I don’t think many users want to know page-level PageRanks. Nor does Google Sidewiki feature a quantity or quality of comments sufficient to justify the significant privacy intrusion. My guiding principles: Provide genuine value, and put users’ interests first. Collect data only when there is a compelling immediate reason, in the user’s personal interest, to do so. An amorphous benefit, such as improving service or building a community, is not good enough.

Systems should transmit as little information as possible to satisfy a user’s request. Consider two alternative approaches to tell a user the PageRank popularity of a site. In a first system, the user’s computer sends a server the full URL of the user’s request, and the server returns the PageRank of that specific page. Alternatively, the user could send just the domain name at issue, and the server could return a list of popular URLs and PageRanks on that domain. With the right system of wildcards and aggregation, the latter approach need not use much more bandwidth, and it’s a modest and reasonable increase in complexity. But the privacy benefits are dramatic: In the first system, the server learns each user’s every page view, whereas the second keeps specific page views confidential.

Finally, companies should limit data storage and its use with specific, firm commitments. Key questions: How long will data be retained? Who will have access and for what purposes? Although these questions sound obvious, they’re easy to overlook. Tellingly, you won’t find answers in Google’s Toolbar Privacy Policy, and even Google’s main Privacy Policy is silent on key details.

The Big Picture
My basic goal: Build privacy into the system. Collect less data, and collect data only when it’s actually in the users’ interest. Make sure users truly know what they’re accepting and why. Treat privacy protection as a valuable objective in its own right, not merely a hurdle standing between a company and a desired business opportunity. This may be tough medicine for those who seek to profit from tracking users in ever-greater detail, but it’s the right thing to do.

In recent weeks, various cybercrime attacks have disrupted the computer systems that allow nations to manage their national greenhouse-gas emissions quotas and their possession of carbon assets according to international agreements (the Kyoto Protocol and the European system). One quota is the right to emit the equivalent of one ton of carbon dioxide during a specified period.

The initial attack targeted the Danish CO₂ quota register that was shut down on January 12. The Danish authorities took this decision after registry users received a fake email purporting to originate from the Danish Energy Agency and redirecting the recipients to a mirror site to steal their credentials.

It seems the attackers renewed their attempt last week by sending similar emails to carbon financial services in 13 European countries. Here, too, the goal was the theft of usernames and passwords to gain access to the national CO₂ quotas management systems. This caused another quota-market closure.

Using these credentials, hackers–instead of manufacturers, governments, and brokers–would in theory be able to sell and buy quotas. During the past 18 months, fraud on the CO₂ market has caused a tax loss of €5 billion. Such access would also be useful for the biggest emitters of carbon dioxide; those countries could manipulate the international quotas to reduce their penalties. The following graphic, from Europol (the European Law Enforcement Agency), explains how such fraud can occur.

One thing is sure, the people behind these attacks cannot be simple hackers. They are likely in the pay of rogue states that reject rules-based international trade.

The other day, I came across a malware that attempts to hide its infection not in that technical but in the very unique way.

“Muster” is a family of backdoor which has been using help files for hiding themselves. The help files or “.hlp” files are data files designed to be viewed with Microsoft WinHelp browser for providing online helps for applications users. Earlier variants of “Muster” drop encoded copies of main backdoor components in filenames with the extension “.hlp”. These “.hlp”files are later decrypted with Microsoft CryptAPI with hardcoded keys and executed by loaders.

A recent variant “Muster.e” is using help files in a different way. Once installed, it infects to an existing help file called “imepaden.hlp” which is the one of the help files for Microsoft IME. Of course, this infected help file still can be viewed with WinHelp browser in the same manner as the original help file, and users hardly find its infection from the view.

How this is activated upon each machine boot? Muster.e also drops a sys file that is loaded as a service upon reboot. This sys file is responsible for extracting the appended executable file from the help file and copy it to a standalone executable file called “upgraderUI.exe”with the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run AutoPatch, which makes users to believe this is something related to a system update tool. On top of this, the malware authors also have crafted the sys file for deceiving users.

As you can see, this sys file has names like “MyDDKDevice” and “HelloDDK”, and is designed to dump many debug messages and which looks to be a typical test sys file compiled from a sample code in the layman’s guidebook for learning device driver programming. In fact, if you search on these words, you will see lots of web pages describing device driver programming. It is not that easy to tell why authors have created a sys file this way. However, regarding the efforts on hiding backdoors in help files, I don’t think bad guys have bored with creating a sys file from the scratch but more like tricking users that this is innocent.

One of the likely scenarios planned by the malware authors is this. Victims may notice the existences of this suspicious file UpgraderUI.exe and the registry key, and then they will delete the file and registry key. Then they would think they have removed this backdoor successfully. Even if they find the file and the registry key is coming back again and again on each reboot, users will not able to find any other suspicious files. Users will never imagine that the sys file is malicious or the infection to the file imepaden.hlp.

I don’t know if these deception techniques really work, however you might want to add help files to your checklist if your machine is suspected to be infected. McAfee VirusScan with DATs 5861 or later detects and cleans those infected help files and backdoor files.

Never is the heartless nature of cybercriminals more apparent than in the wake of a tragedy. As relief efforts continue and worldwide aid pours in to help those affected by the earthquake that rocked Haiti on January 12, cybercriminals have not slowed their efforts. They are eager to get you to donate money that the people of Haiti will never see. Spoofing legitimate relief organizations such as the Red Cross is a typical social engineering lure used by the bad guys to take your money. This morning, however, a particular scam caught my eye that I wanted to share with you. Its subject line was “Help for Haiti” and was sent by “b.obama@whitehouse.gov.” Mr. “b.obama” writes:

I’ve censored some of the contact information so that nobody visiting this blog will attempt to send money to the people responsible for this scam. I cannot emphasize enough that you must perform due diligence before donating to any charity. Ensure that the money you donate is going to the cause that you choose.

A couple of things to remember:

• Don’t respond to emails requesting donations, credit card information, or other sensitive information that you do not feel comfortable giving
• Don’t click links within email that direct to donation websites, as they may be directing you to a malicious website under the covers
• Don’t open attachments with donation forms, as they may be executable malware
• Work directly with charity organizations that you know and trust

Cybercriminals prey on the emotions of their victims. That’s why social engineering tactics such as these are successful. However, if you do your homework first, follow safe email and web-browsing habits, and work closely only with reputable charities to donate money, you can feel more comfortable that your sensitive information won’t end up in the wrong hands.

Microsoft has released Security Bulletin MS10-002, regarding Internet Explorer vulnerabilities. In addition to patching the flaw exposed by Operation Aurora, the company released patches for seven other vulnerabilities.

We are aware of reports of private CVE-2010-0249 exploits impacting Internet Explorer 7 and 8 (though these are mitigated with ASLR and DEP). Historically, the odds of private exploits being made public rise dramatically after a patch is released.

In my last post, I mentioned many detections were occurring on systems residing in China. The number of detections today in the United States are closing that gap.

This is not a patch to put on the back burner.

Here’s a quick update on CVE-2010-0249, aka the Aurora exploit.  A few days ago exploit code was made public.  Since then malware authors have been customizing the exploits payload to install their own malicious creations.  Much of the field telemetry we’ve been receiving has been coming from McAfee users in China visiting websites in China.  Some users have been directed to malicious sites from blog and forum posts, while other cases involve compromised web pages that use multiple javascripts and iframes to pull in the malicious content.

The exploits are often served from subdomains of 3322.org and 8866.org.  A common filename is ie.html, which references what.jpg, which contains part of the exploit code (and not a JPEG image).  Some payloads seen download files named down.css and log.css, which are malware executables.  Those executables contain functionality to download other malware, including:

• Artemis!629E2332CFDA – Generic PWS.y!bsk
• Artemis!78043EBA321B – PWS-Mmorpg!la
• Artemis!911BCF95C022 – PWS-OnlineGames.gx
• Generic Downloader.x!coe
• Generic Dropper!byp
• Generic PWS.y!bsk
• PWS-Mmorpg!la
• Suspect-02!50CB7D4BB04E – Generic Dropper.hi
• Suspect-26!4EBF601DCBF6 – PWS-Mmorpg!la
• Suspect-26!6D89EB2792F7 – PWS-Mmorpg!hb
• Suspect-26!B01B63F88994 – PWS-Mmorpg!la

Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come).

Earlier today, Computer World reported that private exploits were created which exploit Internet Explorer 7 & 8, but that those exploits would remain private.  Still, this publicity may entice others to meet the challenge and go public to prove their prowess.

On the bright side, Microsoft said today that they would release an out of cycle patch for this vulnerability.  McAfee Labs advices those tempted to install an unofficial patch to think twice before doing so as malware and adware often arrive under the guise of such a “fix”.

On Saturday, my McAfee Labs colleague Craig Schmugar wrote about phishing sites and email scams related to the recent earthquake in Haiti. The people behind these frauds deserve to be caught by the law. I have a story that demonstrates that when several researchers join forces the bad guys run the risk of being punished.

On Sunday, among the hundreds of emails I received about Operation Aurora, I had one from Nick FitzGerald, a well-known anti-malware researcher. He asked for my opinion about a possible charity scam with a French origin.

Nick asked me to verify the details: an easy thing for a French speaker. After I tried calling the mobile phone number and got an answering machine, I contacted the town hall where the requester claimed to have his company. The official in charge did not know this company nor any local initiative in favor of the Haitian people.

Two Internet searches allowed me to identify a possible sender. First of all, I used the phone number and discovered–in the same administrative division–an individual selling a Mercedes.

As I suspected another rip-off (you pay an advance fee and you never see your car), I used the company name and discovered a professional diary with the name of the managing director: the same name as the car seller.

Finally, and just as I prepared my response to Nick, I received a call from some friends working at the French banking industry’s Computer Emergency Response Team. They had made the same discoveries, and they were also able to direct me to some court rulings related to this person. He was sentenced in 2009 after he used false insurance certificates and false bank guarantees.

Yesterday, I forwarded all these data to the authorities and hope that they will take appropriate steps. I cannot claim that this individual is once again breaking the law; in France we do enjoy the presumption of innocence. However, this story should prompt you to be vigilant and to not fall for email charity scams.

Last week the U.S. FBI released a warning on this subject.  Yesterday, they renewed the message with the following guidelines:

• Do not respond to any unsolicited (spam) incoming emails, including clicking links contained within those messages
• Be skeptical of individuals representing themselves as surviving victims or officials asking for donations via email or social networking sites
• Beware of organizations with copycat names similar to but not exactly the same as those of reputable charities
• Rather than following a purported link to a website, verify the legitimacy of nonprofit organizations by using various Internet-based resources to confirm the group’s existence and its nonprofit status
• Be cautious of emails that claim to show pictures of the disaster areas in attached files, because the files may contain viruses. Open attachments only from known senders.
• To ensure your money is received and used for its intended purposes, make contributions directly to known organizations rather than relying on others to make the donation on your behalf
• Do not be pressured into making contributions, as reputable charities do not use such tactics
• Do not give your personal or financial information to anyone who solicits contributions. Providing such information may compromise your identity and make you vulnerable to identity theft.
• Avoid cash donations if possible. Pay by debit or credit card, or write a check directly to the charity. Do not make checks payable to individuals.

I strongly agree with this advice!

We are pleased to announce the next event in our complimentary monthly “Hacking Exposed Live!–A Webcast Series,” which educates attendees to protect against cybercrime and hackers. The monthly webcast, hosted by Hacking Exposed coauthor and McAfee Senior Vice President Stuart McClure, walks attendees through the latest hacking techniques and explains countermeasures for preventing attacks.

The next webcast is January 21 at 11 a.m. Pacific time (2 p.m. Eastern) and will feature two white-hot security topics: Botnets and Aurora–the zero-day vulnerability that last week struck Google and several other well-known companies. McAfee Worldwide Chief Technology Officer George Kurtz and McAfee Senior Director Greg Brown will join McClure to enlighten the audience on how hackers exploit these vulnerabilities and what can be done to prevent them from impacting businesses.

Based on the best-selling security book Hacking Exposed, this live monthly webcast gives attendees deep insights into current and evolving hacks and what they can do to keep their environments protected. The webcasts include everything attendees need to know to stay ahead of those who would cause harm. The sessions will also address the universe of hacks–involving social media, mobile, Unix, and more.

Click here to learn more and register today.